Understanding Clickjacking: Techniques, Prevention, and Protection

What is Clickjacking?

Clickjacking, also referred to as UI redress attack, is a type of cyber attack wherein a malicious website tricks users into clicking on a different element from what they perceive. This trickery can lead to unintended actions such as downloading malware, visiting malicious web pages, providing credentials, sensitive information, or even transferring money and purchasing products online.

How Does Clickjacking Work?

Clickjacking employs a layered technique where an attacker hides their iframe (a frame embedded within a webpage) and overlays it on top of other elements. The user sees only the desired action (e.g., clicking on a button to change a password), while in reality, the attack is hidden and is performing a different operation (e.g., changing a password without the user's knowledge).

Let's break it down with a simple code example:

head
 style
    target_website {
        position: relative;
        width: 120px;
        height: 120px;
        opacity: 0.00001;
        z-index: 2;
    }
    decoy_website {
        position: absolute;
        width: 300px;
        height: 400px;
        z-index: 1;
    }
  /style
/body
head
/div
iframe id"target_website" src"malicious_website_url" /iframe

In this example, an iframe is placed within another webpage. The target website is made invisible to the user, while the decoy web looks normal. The user clicking on the decoy is actually interacting with the iframe framed by the attacker.

Protection Techniques Against Clickjacking

To protect against clickjacking, websites can use various techniques, including frame-busting scripts and content security policies (CSP).

Frame-Busting Techniques

Frame-busting techniques include disabling JavaScript that can be exploited. Here is an example of a frame-busting script:

if (self ! top) {
    top.location  self.location;
}

This script ensures that if the code is framed by another website, it redirects to the original site, breaking the frame-busting.

Content Security Policy (CSP)

Content Security Policy (CSP) is another powerful tool to defend against clickjacking. A frame-ancestors directive can be used to specify which sites are allowed to embed the resource. Here's a CSP example:

Content-Security-Policy: frame-ancestors 'self'

This directive ensures that the content can only be embedded by the website itself and not by any other domains.

Protection Tools

Several apps and tools can help protect against clickjacking:

Comitari Web Protection Suite Flash Player options to prevent anything that blocks the security permission dialog from running hidden Internet Explorer users can disable JavaScript Firefox users can enable the Noscript add-on

Examples of Clickjacking Attacks

Clickjacking attacks can be implemented in various ways. For instance:

Users might be asked to enter a text twice while clicking on a decoy to seemingly enter a prize draw, but actually change their password without their knowledge. Attackers can trick users into revealing their credentials by hiding a form within an invisible iframe, making the user believe they are clicking on a normal button.

Such attacks often involve social engineering, a common technique employed in phishing attempts.

Conclusion

Clickjacking is a significant threat that can lead to severe data breaches and financial losses. By understanding how clickjacking works and implementing robust protection measures, users and website owners can significantly reduce the risk of such attacks.